If you thought that using a longer password is better for your security than a short password, you might want to think again.
New research from Specops Software has found that even 15-character passwords are in the top ten most common password lengths that can be compromised (eighth). The most compromised length was eight characters, accounting for 212.5 million of the company’s four billion Password protection database breached.
Specops suspects this is most common because eight characters is the standard length for Active Directory passwords. As expected, the proportion of compromised passwords decreases as character length increases.
Time to crack
This led Darren James, Senior Product Manager at Specops Software, to conclude: “longer passwords are better… however, it’s important to understand that equipping users with strong, long passwords is not a foolproof way to prevent compromised credentials .”
He added: “Attackers can still find workarounds – and user behavior can undo good password policies.”
When it comes to the actual content of the passwords themselves, again it’s no big surprise that “password” tops the list of eight-character phrases. For 15 characters, the phrase ‘Sym_newhire’ appears as the second and third most compromised passwords: ‘Sym_newhireOEIE’ and ‘Sym_newhireOAIE’.
It’s essential for businesses to have strong passwords, as Specops also cites figures from Verizon that claim as many as 86% of all attacks start with the use of stolen credentials.
Increasing the length can protect against brute force tearing. Specops calculates that cracking an eight-character password, even passwords containing both numbers and lowercase letters, can take just five minutes. On the other hand, a 15-character password can take up to 37 million years to crack.
However, the report warns that this “should not give organizations a false sense of security, as this is only part of the battle for password security.” For example, it does not matter whether the login details are stolen via phishing attacks.
Using one of the best business password management solutions can help further secure your passwords, as they often come with dark web monitoring features that notify users if stored credentials have been leaked in a known data breach.
But looking further ahead, the whole discussion may be academic, as passkeys, the new passwordless technology that is gaining traction, mean there are no credentials to crack or even phish. Some identity management solutions and enterprise password managers already offer this capability to enterprises.